当最先进的隐私法撞上最有前途的技术之一时，管理者该怎么办?

当你认为两者对组织的成功同样重要时，你如何处理看似矛盾的机遇?

What are managers to do when one of the most progressive privacy laws runs smack into one of the most promising technologies? 

How do you manage seemingly conflicting opportunities when it can be argued that both are equally important to your organization’s success?

这里指的是欧盟(eu)最近颁布的“right to be forgotten”（被遗忘权），其官方名称是《通用数据保护条例》(General Data Protection Regulation，简称GDPR)和区块链技术。由于其数据的民主分配和普遍不变的特性，它被非正式地誉为确保数字运营的关键进步。

Here is referring to the European Union’s recently enacted “right to be forgotten” law, officially known as General Data Protection Regulation (GDPR), and Blockchain technology, unofficially hailed as a critical advancement in securing digital operations thanks to its democratic distribution of data and its generally immutable nature.

与许多令人兴奋的新技术一样，围绕区块链的大肆宣传已经达到了极限，并引发了一波企业实验浪潮，这些实验证明了一件事:区块链并不适合所有应用程序，但对于某些应用程序来说，它是一个例外。

As with many exciting new technologies, the hype surrounding Blockchain has been extreme and prompted a tidal wave of corporate experimentation that has proven one thing: Blockchain is not a good fit for all applications, but for some, it is an exceptional fit. 

许多专家得出结论，GDPR和区块链技术从根本上是不兼容的，就像数字版的油和水。在成员公司的要求下，DSCI与两家领先的国际律师事务所合作，以理解新的隐私法，因为它适用于这个新生的技术。

Many commentators have concluded that GDPR and Blockchain technology are fundamentally incompatible, the digital equivalent of oil and water. At the request of our member companies, DSCI worked with two leading international law firms to understand the new privacy law as it applies to this nascent technology.

得出的结论是，GDPR和区块链可以和谐共存，并为在区块链网络中解决GDPR遵从性问题提供了一个框架。我们不认为区块链技术与数据保护和隐私是内在矛盾的。恰恰相反。如果遵循以下三个指导原则，就有可能实现尊重数据保护和隐私基本原则的区块链解决方案。

Our conclusion is that GDPR and Blockchain can happily coexist and provide a framework for addressing GDPR compliance in a Blockchain network. We do not believe that Blockchain technology and data protection and privacy are inherently contradictory. Quite the opposite. A Blockchain solution that respects the fundamental principles of data protection and privacy is possible if the following three guiding principles are followed.

01

保护个人隐私  Keep it private 

虽然区块链最常见的设想是任何人都可以加入的完全公共网络，但有许多私有网络是私人的，需要获得加入许可。因为任何人都可以加入公共区块链，所以不可能确保参与者同意围绕个人数据保护的必要规则。因此，从私有网络开始，是迈向与GDPR兼容的区块链解决方案的第一步。

While the most common vision of Blockchain is of a fully public network where anyone can join, there are many private networks that are private and require permission to join. Because anyone can join a public Blockchain, it is impossible to ensure participants agree to necessary rules around the protection of personal data. As a result, starting with a private network is the first step on the path toward a GDPR-compliant Blockchain solution.

02

杜绝私人化 Don’t get personal 

避免GDPR遵从性问题最明显的方法是使用不处理任何个人信息的区块链方法。虽然完全不使用个人数据可能会非常困难，但也不是不可能。加密和中间件软件提供了潜在的解决方案。

The most obvious way to avoid GDPR compliance issues is to use a Blockchain approach that does not handle any personal information. While keeping completely free of personal data likely will be very difficult, it is not impossible. Encryption and middleware software provide potential solutions.

03

预先设定规则 Set the rules up front

一个符合GDPR《通用数据保护条例》的区块链解决方案需要满足很多需求。这对每个人都意味着规则。与GDPR兼容的商业区块链解决方案将需要一个对所有参与者具有合同约束力的治理框架，并明确规定各方的权利和责任。

A GDPR-compliant Blockchain solution has a lot of requirements to satisfy. That means rules—for everybody. A GDPR-compliant commercial Blockchain solution will require a governance framework that is contractually binding on all participants and clearly sets out each party’s rights and responsibilities.

我们认为，可以存在一个符合GDPR要求的区块链解决方案，其中该解决方案涉及一组已定义的参与者，所有参与者都同意一个共同的合同治理框架。 但是，这将要求监管机构和技术提供商采取措施，以便可以解决区块链带来的突出隐私挑战（但法律或监管指导并未完全解决）。

In our view, a GDPR-compliant Blockchain solution can exist where that solution involves a defined group of participants, all of whom agree to a common contractual governance framework. However, this will require steps to be taken by regulatory authorities and technology providers, such that the outstanding privacy challenges posed by Blockchain (but not fully addressed by legislation or regulatory guidance) can be solved.

我们呼吁监管机构采取必要措施，解决区块链技术和删除个人数据所带来的突出的隐私挑战。只有在监管机构和立法者的理解和支持下，应对数据保护挑战的创新解决方案才能取得成功。

We call on regulatory authorities to take the steps necessary to address the outstanding privacy challenges posed by Blockchain technology and deletion of personal data. Innovative solutions to data protection challenges will only succeed with the understanding and support of regulators and lawmakers.

如果监管机构和立法者不采取措施协调数据保护法和区块链技术之间的差距，我们就有可能看到区块链解决方案领域的进展放缓(甚至终止)。这样的结果最终将损害可能有能力为整个世界带来巨大利益的技术发展。

There is a risk that, if steps are not taken by regulators and lawmakers to bridge the gap between data protection law and Blockchain technology, we will witness a slowing in (or even end to) advancements in the area of Blockchain solutions. Such an outcome would ultimately be detrimental to technological developments that may have the capacity to deliver substantial benefits to the world as a whole.

区块链与GDPR的权利和义务

区块链的应用目的和GDPR的数据保护原则及个人数据主体的权利之间也存在着紧张关系。比如：

1）数据合法使用原则。在不可能识别数据控制者的区块链应用场景，如何判断个人数据的合法授权基础？

2）数据最小化原则以及个人数据主体的删除、纠正权利。如果个人数据被记录在区块链网络中，可能很难被纠正或删除。在区块链的背景下，什么情况下数据可以被视为已经删除了？

3）个人数据主体的访问权。如果没有可识别的数据控制者，个人数据主体访问权应当向谁主张？

4）自动化处理。GDPR下数据主体有权被告知自动化处理，并可以对此类自动化处理行使某些权利。区块链正是大力推崇智能合约的自动化潜力，如何来按照GDPR的要求规范智能合约？而当智能合约不得不引进人为干预措施时，交易参与者对智能合约的信任就会大大降低。

5）领域问题。不言而喻，GDPR虽然促进了欧盟数据的自由流通，但对数据出境（欧盟之外）设置了很多条件，而区块链是全球化的。

6）默认设计保护。GDPR规定数据保护应该是嵌入到平台的，而区块链技术并不成熟，经常由开源社区开发。有关个人数据保护的构建会存在改进空间。